Internet Security Alliance president Larry Clinton is adding his voice to those calling for including a robust cybersecurity program in upcoming infrastructure legislation expected to address expanded broadband access as well as services in other critical industries.
“President Biden’s massive infrastructure proposal — dubbed infrastructure for the digital age — includes a wide variety of items not traditionally thought of as infrastructure such as home health care, as well as some items that are very much digital infrastructure such as $650 million for expanded broadband networks,” Clinton said in a blog post on Thursday.
“But there is no money for cybersecurity,” Clinton wrote, echoing concerns raised by other cyber professionals.
“Proposing to build vast new broadband networks without providing adequate funding to secure these networks is literally the equivalent of building highways that will assure repeated traffic accidents and deaths,” according to Clinton.
“That metaphor is not excessive, if anything it understates the danger of not addressing cybersecurity as part of critical infrastructure upgrade,” Clinton wrote. “Cyber systems are integrated, so vulnerabilities in broadband systems serving remote areas are vulnerabilities to the entire system. We know, as evidenced by recent cyberattacks, such as SolarWinds, that adversaries look to attack systems at their weakest points and then use their entry into the system to reach more critical assets.”
Given the need to provide access to broadband nationwide, and the reality that even small businesses are subject to, and targets of, sophisticated cyber-attacks a sustainable system of cybersecurity must be folded into the infrastructure upgrade plan. Since the Biden plan already anticipates a tax element (i.e., raising taxes on larger corporations) perhaps balancing that proposal with tax credits to enhance the cybersecurity needs of the smaller broadband players would be a fitting addition to the proposal.
Former FCC security chief David Simpson also raised concerns that “Ignoring the introduction of known cyber risk factors to regions not previously served by broadband would be legislative malfeasance.”
But members of the Biden team have begun pushing back, arguing that the administration is taking a holistic approach and is well aware of the cybersecurity needs accompanying the infrastructure improvement effort.
Jeff Greene of the National Security Council, at a Cybersecurity Coalition event this week, said aspects of infrastructure security will be addressed in an upcoming executive order on supply-chain security and other issues, Nextgov reported.
Legislative pieces of the infrastructure effort are already emerging in Congress, based on bills that saw action — but not final passage — last year. Those measures contain various cyber provisions aimed at the critical industries in telecom, transportation, energy and health care.
The House Energy and Commerce Committee held a hearing in March on H.R. 1848, the “Leading Infrastructure for Tomorrow’s America Act,” known as the LIFT America Act.
According to a section-by-section analysis from the committee’s Democratic staff, the measure addresses cyber issues across various sectors, including provisions on health-sector cybersecurity.
The bill “reauthorizes the Hill-Burton program by providing $10 billion for fiscal years 2022-2026 for hospital infrastructure modernization and improvements. The title funds projects that will increase capacity and update hospitals and other medical facilities in order to better serve communities in need. Priority is given to projects for public health emergency preparedness or cybersecurity upgrades that will protect against cyber threats,” according to the analysis.
The legislative text, updated from a similar version that passed the House last year, includes language on cyber in the energy and telecom sectors, as well as water and others.
For instance, under the electric grid modernization section, it says: “Each project carried out with financial assistance provided under subsection (a) shall include the development of a cybersecurity plan written in accordance with guidelines developed by the Secretary of Energy.”
A source close to the Energy and Commerce panel said the measure is “infused” with cyber elements and that the committee will “make it compatible” with the Biden proposal.
The House last year also passed “The Moving Forward Act” from the Transportation and Infrastructure Committee, which included cyber provisions affecting industries across the transportation sector.
Chairman Peter DeFazio (D-OR) has committed to pushing the measure to enactment this year, saying at a March hearing, “getting this monumental effort across the finish line is this Committee’s top legislative priority.”